Finally learnt why my npf efforts had still failed on my Linode NetBSD even since switching to KVM (and in hindsight perhaps why I could never get it working on Xen): Because I use
securelevel 1. Doh!
I now have the following in a
npf bpfjit sljit npf_alg_icmp
npf was not enough as I’d get the following without
npfctl: source /usr/src/sys/net/npf/npf_ctl.c line 231 npfctl: npfctl_config_send: Invalid argument
npf_alg_icmp is required for the Application Level Gateway stuff.
npfctl reload will still moan about
bpfjit even with it, but it seems to actually work ok.
I’ve also updated this npf post.
[EDIT 2018-02-18] I’m pretty sure that
securelevel screws with the creation of the
npflog0 interface. I never had a problem until the post-Meltdown era, but I suspect the multiple reboots, migrations and a rebuild I’ve tried removed this interface and then it wouldn’t recreate. You could probably boot without
securelevel to get the interface created and then reboot with it enabled and it’d stick.